Camaleon CMS - Stored Cross-Site Scripting (XSS) in Comments
Description
In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated stored XSS in Camaleon CMS comments (≤2.6.0) allows attackers to execute arbitrary scripts in victims' browsers.
Vulnerability
Camaleon CMS versions 0.0.1 through 2.6.0 are vulnerable to stored cross‑site scripting (XSS) in the comments section of posts. The application renders comment content using the raw helper (e.g., raw comment.content) [3], which bypasses HTML sanitization. An unauthenticated attacker can submit a comment containing arbitrary JavaScript code that is permanently stored on the server. The vulnerability is present in all themes and default views that render comments without sanitization [3].
Exploitation
An unauthenticated attacker can navigate to any post on a Camaleon CMS site that allows comments (comments are enabled by default) and submit a crafted comment containing malicious JavaScript. The comment is stored in the database. When any victim (including site administrators or visitors) loads the page containing that comment, the script is executed in the victim’s browser. No user interaction beyond viewing the page is required [1][4].
Impact
Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim’s session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack does not require any prior authentication or special privileges [1][4].
Mitigation
The fix was committed in version 2.6.0.1 by replacing raw comment.content with either comment.content or sanitize comment.content [3]. Users should upgrade to version 2.6.0.1 or later. If upgrading is not immediately possible, the workaround is to disable comments on all posts or to manually apply the sanitization patch to custom themes. No further workarounds are documented [1][2][3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
camaleon_cmsRubyGems | >= 0.0.1, < 2.6.0.1 | 2.6.0.1 |
Affected products
2- camaleon_cms/camaleon_cmsv5Range: 0.0.1
Patches
105506e9087bbSanitize comments
4 files changed · +7 −7
app/apps/themes/default/views/partials/_comments_list.html.erb+2 −2 modified@@ -11,10 +11,10 @@ <strong class="<%= (children.present?)? "pull-right" : "" %>"><%= user.the_name %></strong> <small class="text-muted <%= (children.present?)? "" : "pull-right" %>"><%= comment.decorate.the_created_at %></small> </div> <div class="panel-body"> - <%= raw comment.content %> + <%= comment.content %> </div><!-- /panel-body --> </div><!-- /panel panel-default --> </div><!-- /col-sm-5 --> </div> <%= render partial: "partials/comments_list", locals: { comments: comment.children.approveds, children: "present" } if comment.children.present? %> -<% end %> \ No newline at end of file +<% end %>
app/helpers/camaleon_cms/comment_helper.rb+1 −1 modified@@ -25,7 +25,7 @@ def cama_comments_render_html(comments) </div> <div class='media-body'> <h4 class='media-heading'>#{author.the_name} <small>#{comment.the_created_at}</small> <span class='label label-#{labels[comment.approved]} pull-right'>#{t("camaleon_cms.admin.comments.message.#{comment.approved}")}</span></h4> - <div class='comment_content'>#{comment.content}</div> + <div class='comment_content'>#{sanitize comment.content}</div> <div class='comment_actions'> <div class='pull-left'> <a href='#{cama_admin_post_comment_answer_path(@post.id, comment.id)}' data-comment-id='#{comment.id}' title='#{t('camaleon_cms.admin.comments.tooltip.reply_comment')}' class='btn btn-info reply btn-xs ajax_modal'><span class='fa fa-mail-reply'></span></a>
app/views/camaleon_cms/default_theme/partials/_comments_list2.html.erb+2 −2 modified@@ -6,7 +6,7 @@ </div> <div class="media-body"> <h4 class="media-heading"><%= link_to(user.the_name, user.the_url) %> <small class="pull-right"><%= comment.decorate.the_created_at %></small></h4> - <div><%= raw comment.content %></div> + <div><%= comment.content %></div> <% comment.children.approveds.each do |answer| user2 = answer.comment_user.decorate %> <div class="media"> <div class="media-left"> @@ -21,4 +21,4 @@ </div> </li> <% end %> -</ul> \ No newline at end of file +</ul>
app/views/camaleon_cms/default_theme/partials/_comments_list.html.erb+2 −2 modified@@ -12,10 +12,10 @@ <strong class=""><%= link_to(user.the_name, user.the_url) %></strong> <small class="text-muted pull-right"><%= comment.decorate.the_created_at %></small> </div> <div class="panel-body"> - <%= raw comment.content %> + <%= comment.content %> </div><!-- /panel-body --> </div><!-- /panel panel-default --> </div><!-- /col-sm-5 --> </div> <%= render partial: "partials/comments_list", locals: { comments: comment.children.approveds, children: "present" } if comment.children.present? %> -<% end %> \ No newline at end of file +<% end %>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-x78v-4fvj-rg9jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25969ghsaADVISORY
- github.com/owen2345/camaleon-cms/commit/05506e9087bb05282c0bae6ccfe0283d0332ab3cghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25969ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.